1 pointThat's because you're using mysqli_real_escape_string. You don't need that function, that's only for databases and it's also only used in really old code. If all you're doing is sending an e-mail, remove the entire database connection file. For escaping things in an HTML e-mail, use htmlspecialchars(). That semi-colon is correct, it separates two of the components of the Content-Type header.
1 pointThat's true about localStorage and sessionStorage, I just said that because previous questions by this user were about sessions in ASP.